FCC boss Ajit Pai says the agency will finally take steps to shore up the security of the FCC’s public comment system after being widely criticized for turning a blind eye to routine fraud and abuse. If you’ll recall, more than 22 million Americans voiced their thoughts on the Trump FCC’s attack on net neutrality last fall via the agency’s website. The vast majority of comments opposed the move, closely reflecting surveys that show widespread, bipartisan support for the rules. The public comment period for the repeal was the only real opportunity most Americans had to share their thoughts on the plan. Unfortunately, the FCC largely ignored public input, barreling forward with what may just be the least popular tech policy decision in the history of the internet. Not a single one of your comments was cited in the FCC’s 218 page justification for its decision. Worse, the entire public comment process was found to be rife with fraud and abuse. Anonymous attacks flooded the system with fake comments made by a combination of real, fake, and deceased individuals. My name was among those hijacked, and when I contacted the FCC for guidance—the agency informed me there was nothing they could do. The fraud prompted an ongoing investigation into identity theft by New York’s Attorney General. In a public letter last November, NY’s AG stated the FCC ignored nine attempts over five months to obtain server logs, API key details, or other information that could have aided the investigation into who was behind the attack. The agency is also facing an ongoing lawsuit for ignoring Freedom of Information Act requests attempting to shine more light on the problem. At the same time, the FCC is also facing an inquiry by the General Accounting Office into its failure to protect FCC systems. Back in May, Senators Senators Jeff Merkley (D-OR) and Pat Toomey (R-PA) fired off a letter to Pai demanding he actually do something about the abuse of FCC systems. “Late last year, the identities of as many as two million Americans were stolen and used to file fake comments during the FCC’s comment period for the net neutrality rule,” the Senators wrote. “We were among those whose identities were misused to express viewpoints we do not hold. We are writing to express our concerns about these fake comments and the need to identify and address fraudulent behavior in the rulemaking process.” In a response letter this week provided to the Wall Street Journal, Pai says the agency is finally taking steps to address the problem, while acknowledging his own identity was hijacked during the comment process.
“It is troubling that some bad actors submitted comments using false names,” Mr. Pai said. “Indeed, like you, comments were submitted in my name and my wife’s name that reflect viewpoints we do not hold.” Consumer advocates have repeatedly claimed that whoever attacked the comment system was hoping to undermine trust in the integrity of the comment process, thereby allowing the industry (and the FCC) to downplay overwhelming opposition to their plan. It’s a problem that doesn’t appear to have been exclusive to the FCC. Pai’s letter, which wasn’t publicly shared, states that the FCC hopes to eventually “rebuild and re-engineer” the commission’s electronic comment system “to institute appropriate safeguards against abusive conduct.” It also states that Pai will approach Congress for funding for the overhaul, something Pai likely knows may not actually happen. A timeline was not given for the purported improvements, and the FCC did not immediately respond to a request for comment as to why such measures hadn’t been implemented earlier. Among the improvements Pai said he’d consider is the implementation of a basic CAPTCHA system. That’s not a full solution, but it would have easily thwarted the bot used to file the bogus comments, which posted the fake missives in perfect alphabetical order as it pulled the names from what appears to have been a stolen database of unknown origins. Of course a promise doesn’t mean an actual fix is coming anytime soon, and Pai’s letter also fails to address why the FCC repeatedly refused to aid law enforcement inquiries. It’s behavior well in line with an agency that made up a DDOS attack and repeatedly leaned on completely bogus data and false claims to justify the repeal. It’s likely that these and other strange behaviors will see renewed attention courtesy of the numerous lawsuits currently headed the agency’s direction.